So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.
You can find write-ups from various AV companies at the following URL’s
So the write-up’s are all pretty good some have details that the others don’t etc. We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues. The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures. The MMPC group made a post about this piece of malware http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx where they linked http://technet.microsoft.com/en-us/library/cc512606.aspx Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it. I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable :) of course we would probable pull a lot of flack for that :) . /Rant Off
So things you should look at doing if you are hit with this:
I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow. Hopefully this helps someone.
Lots of problem trying to ID the file that's causing the behavior (if your AV isnt picking it up), since this is being repacked and redistributed to avoid detection.
In most case it creates a scheduled task pointing right to the offending file. So check C:\windows\task and see what file its pointing, and get that file into your AV vendor for new dat files.
We have this virus in our web. Do you know any specific removal tool for this virus? Because our AV provider doesn't have any treat for this virus.
No specific removal tools. Trend Micro does have a sysclean utility which is like a command line scanner you can use with their definitions which seems to be working ok in some sites.
It's a pity that MSFCS like other major end point security vendors doesn't protect against behavoural targeting threats such as the B worm.... maybe folks using MSFCS would then not be making the many calls to MS?
Great article though! I like your "context" and frankness....
The virus is actually a rootkit, therefore use GME as part of your tool kit to detect and then use uptodate virus defs to remove or follow the manual instructions on your AV/malware product vendors website....
Well as for FCS we were actually one of if not the first AV company to have any detection whatsoever for the .B variant of this. In some senses our product is very 1.0ish at times :) especially in regards to areas like working hand in hand with a firewall etc. During the last two weeks though I have worked multiple cases that included at least 4+ other major AV companies and in every case the ACL's on the files combined with the rootkit capabilities of this piece of malware were evading detection/removal. During the end of this past week however the AV companies appear to be finally catching up.
Anyone know how to contain the bloody virus??, I do update my PC on my network and also update the antiviral scanner, but alway show me theres someone with the virus, dos anyone hava a clue to contain or avoid more copies of ??
Symantec has released a cleanup utility that will remove the virus from infected computers.
The Removal Tool does the following:
· Terminates the associated processes
· Deletes the associated files
· Deletes the registry values added by the threat
· Removes the scheduled jobs created by the worm
· Re-enable Windows Update
This fix will work on any computer, you don’t need to have SAV installed for it to work.
Also, the fix has been released with command line switches… we can run silently with no reboot. So we should be able to setup altiris jobs to run the fix automatically.
Please see this link for more information and a download link:
Have found perhaps a variant today that nothing seems to be able to clean up. Some AV software is cleaning up the service that gets created, but is not repairing service.exe
nastly little bug.
Did Downadup/conficker attack your network? I've created a batch file for system administrators to clean/patch/cure infected systems in their networks.
check it out here:
I found that the B Variant keeps coming back even after cleanup using Symantec FixTool. I had to to erase all of the service it registered on the Registry manually.
You MUST disable System Restore on your PCs. Until we did that with a group policy, it just kept coming back. We would run the clean up tools and frequent full system scans that came back clean and it would reappear hours later. And set your AV scan defaults to delete as first attempt/quarantine second.
I do update my PC on my network and also update the antiviral scanner, but alway show me theres someone with the virus, dos anyone hava a clue to contain or avoid more copies of ?
What passwords does it attempt? Is there a pre-defined list?